Table of Contents
hswan
Status: Dead and archived for posterity. It might come dead for a v2. Ask q3k.
q3k's pipedream of an intra-Hackerspace (and not only) alternate IP network, based on point-to-point links and BGP. Currently centered around the Warsaw Hackerspace.
Technology
- Secure links over the public internet or private links
- BGP with 32-bit AS names
- RFC1918 10/8 allowed
- might allow longer IPv4 prefixes than /24
- need to find a crypto system for allowing ASses and prefixes to be announced - right now, we are as secure as the Internet is (not much)
Number Assignement
Currently, there is one assignment authority, and that is the Warsaw Hackerspace. For assignment, please contact bofh@hackerspace.pl.
ASN
We use the 32-bit private ASN numbering scheme, as defined by RFC6996. Each system that is part of the WAN must have an AS number assigned.
ASN | OrgName | PoC | Physical presence | Willing to peer physically? |
---|---|---|---|---|
4242424242 | Warsaw Hackerspace | bofh@hackerspace.pl | Warsaw, ul. Wolność 2A | Yes. Radio within LoS |
4250000001 | q3knet | q3k@q3k.org | Garching, Bayern, Germany | Maybe? Freifunk MUC? |
4250000002 | Hackerspace Krakow | noc@hackerspace-krk.pl | Cracow, Zacisze 5/P1 | Probably ;) |
4250000003 | Dragon Sector | noc@drgns.pl | n/a (Internet) | No. |
4250000004 | Nibylandia | ar@bash.org.pl | Warsaw, ul. ? | |
4250000005 | _lambdarail_ | lquawl@hackerspace.pl | Warsaw, ul. Jaktorowska | |
4250000006 | pidpawel | abuse@pidpawel.eu | Kraków, Ruczaj | Yes. |
4242422001 | buka | enki@fsck.pl | Warsaw | |
4250000008 | dfgg | dfgg@hackerspace.pl | Bydgoszcz | Currently no. |
4250000009 | archnet | on demand via q3k@hspl | Warsaw | |
4250000010 | hskrk-mciancia | Kraków | ||
4250000011 | aquila | mlen@mlen.pl | Jelenia Góra | |
4250000012 | googlecloud | q3k@q3k.org | THE CLOUD | |
4250000013 | tog | admin@tog.ie | Blackpitts, Dublin | Yes. |
4250000014 | hskrk-wiktor | wiktor@hackerspace-krk.pl | Kraków, ul. Kluzeka | sure, will try mesh soon |
4250000015 | tkd | tomek@hackerspace.pl | Kallang Road, Singapore | No. |
4250000016 | hskrk-alwaro | alwaronx@gmail.com | Kraków | |
4250000017 | finitestate.solutions | fss@finitestate.solutions | Warsaw, ul. Wolność 2A | Yes. |
4250000018 | hsldz | lodz@lists.hackerspace.pl | Łódź | |
4250000019 | hswro | wiktor@hackerspace-krk.pl | Wrocław | yup |
4250000020 | hskrk-zagura |
IPv4 Addresses
We use the 24-bit RFC1918 pool. When we run out, we'll figure out what to do. Bear in mind, a location can use IPv4 outside this pool (or overlapping), but they will need to be NATted.
Prefix | OrgName | NetName |
---|---|---|
10.8.0.0/14 | Warsaw Hackerspace | hswawnet01 |
10.12.0.0/16 | Hakerspace Krakow | hskrknet01 |
10.13.0.0/16 | Dragon Sector | dsnet01 |
10.14.0.0/16 | hsldz | hsldz01 |
10.21.0.0/16 | dfgg | hurrdurr01 |
10.23.0.0/16 | pidpawel | pidnet01 |
10.24.10.0/24 | Nibylandia | nbland01 |
10.24.20.0/24 | Nibylandia | nbland02 |
10.24.250.0/24 | Nibylandia | nbland03 |
10.25.0.0/16 | _lamdarail_ | lbrail01 |
10.26.0.0/16 | archnet | archnet01 |
10.30.0.0/24 | googlecloud | googlecloud-euwest1 |
10.30.1.0/24 | googlecloud | googlecloud-uscentral1 |
10.42.0.0/16 | hskrk | hskrk-members |
10.42.0.0/20 | hskrk-wiktor | hskrk-wiktor |
10.42.16.0/20 | hskrk-mciancia | hskrk-mciancia |
10.42.32.0/20 | hskrk-alwaro | hskrk-alwaro |
10.42.48.0/20 | hskrk-zagura | hskrk-zagura |
10.44.0.0/16 | hswro | hswro01 |
10.48.0.0/16 | tog | tog01 |
10.50.0.0/24 | tkd | xibalba |
10.78.0.0/24 | q3knet | q3knet01 |
10.78.1.0/24 | q3knet | q3knet02 |
10.78.2.0/24 | q3knet | q3knet03 |
10.99.0.0/24 | BUKA | BUKA-HSWAN-NET |
10.100.0.0/23 | aquila | aquila01 |
10.110.0.0/16 | finitestate.solutions | fss00 |
172.20.171.64/26 | BUKA | BUKA-DN42-NET |
IPv6 Addresses
We need to figure this out soon.
Security Implications
Since we base off the technology stack of the Internet, security is mostly by trust. This means that, if you join hswan, you should take precautions by securing your local network. Remember to:
- Make sure to only expose services that you would feel comfortable with being directly on the Internet, so
- Statefully firewall off access to your guests' machines (laptops, phones…)
- Keep your network device management interfaces away from the WAN completely
- Filter incoming BGP prefixes against injection of your own address space and 0/0
- Not really rely on the confidentiality of a link to another site (use end-to-end encryption)
- Whitelist, not blacklist everything
With these precautions in place you should be able to experience the fun of having a world-wide Hackerspace WAN without putting your network in danger
How to join
- Get an ASN and IPv4 network assigned
- Find a party to peer with
- If interested in a physical link, find one with a physical presence nearby
- If interested in a virtual link, find whomever you can trust and who will trust you
- Establish connectivity, notify Warsaw Hackerspace ops.
How to give someone access
- Please notify Warsaw Hackerspace ops that you will be setting up a link with third parties
- Make sure to only give access to parties that you can trust
- Allowing propagation of hijacked prefixes and ASN announcements are ground for automatic termination of connectivity
Compared to ChaosVPN
q3k does not really enjoy the idea of being locked into one piece of software. Everything speaks BGP, and the physical link choice is left for the peers to decide (OpenVPN/IPSec/ATM/MPLS/CAT6/Fiber/Radio…).
Also, hswan is more fun and less secure.
Compared to dn42
Same concept - hswan was conjured up before q3k was aware of dn42.
hswan is also compatible with the HSWAW address space and has more blocks available… for now.
hswan @ hswaw
You are free to use the following services:
- DNS for waw.hackerspace.pl: 10.8.1.2
NAS (for access talk to our BOsFH): 10.8.1.24Our private cloud / virtualization service (register an account with our BOsFH first)A Minecraft server managed by elia: 10.11.1.24
If you are @HSWAW, you are in HSWAN! Your laptop is statefully firewalled (only outgoing connections are allowed), don't worry. Additionally, if you host anything in our Lab, it will be accessible to people from the WAN.